[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF questions
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: PF questions
- From: "Arne P. Boettger" <apb_(_at_)_wohnheim_(_dot_)_fh-wedel_(_dot_)_de>
- Date: Mon, 28 Oct 2002 11:42:17 +0100
> is there finally a way to make an ACL based on MAC address? I want all
> of our machines have internet access but I don't want anyone to bring
> any of their home laptops and figure out the ip configuration and browse
> the net etc.
No, it's not possible, and you probably shouldn't do this. If the
employees aren't complete morons, they'll soon figure out how to
change their MAC-Adress.
It's better to use a tool like arpwatch to monitor MAC<->IP-Adress
mappings and coincidentally show up to tell them that what they do
is against the company policy and could cost them their employment
> Also "content-filtering" isn't working in pf either, is it?.. (as in drop
> every packet that contains root.exe for example)
That's not really possible because there are endless different ways
to encode root.exe to finally find a way that's not filtered.
Your best bet would be an application-proxy, but that's as far as I
know beyond openBSD's scope.
,``o. OpenBSD - Debian GNU/Linux - Solaris >o)
>( ,c@ GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <apb_(_at_)_createx_(_dot_)_de> /\\
',,,' Fingerprint = 6ED9 9A64 CD8A EB6F D841 0391 2F08 8F86 913C 2F81 _\_V
Visit your host, monkey.org